Cisco devices running IOS come with a feature called CBAC which can be
configured to allow return traffic back into a network while maintaining a
deny ip any any ACL on the external interface. In times past this was
achieved through reflexive ACLs, using the
established keyword in the ACL,
or in some cases allowing in all traffic destined to ports grater than 1024.
IOS Firewall overcomes this by providing Layer 3 to 7 inspection on outgoing traffic and allowing return traffic back into the network.
show ip inspect session command displays the list of current sessions,
similar to the output below.
Session 66AF9CEC (10.250.10.137:50857)=>(116.50.x.x:8081) tcp SIS_OPEN Session 66AF8BDC (10.250.10.148:52245)=>(74.125.x.x:5222) tcp SIS_OPEN Session 691B75A8 (10.250.10.129:64206)=>(74.125.x.x:443) https SIS_OPEN Session 691B1D80 (10.250.10.143:51929)=>(107.23.x.x:443) https SIS_OPEN Session 66B02844 (10.250.10.145:50720)=>(116.50.x.x:8081) tcp SIS_OPEN Session 66B03F04 (10.250.10.158:59507)=>(116.50.x.x:8081) tcp SIS_OPEN Session 68CA82C4 (10.250.10.129:63452)=>(216.151.x.x:119) tcp SIS_OPEN Session 66B063FC (10.250.10.129:63725)=>(216.151.x.x:119) tcp SIS_OPEN Session 66AFD01C (10.250.12.102:52854)=>(206.16.x.x:443) https SIS_OPEN Session 66B00074 (10.250.12.106:4569)=>(138.99.x.x:4569) udp SIS_OPEN Session 66B00BD4 (10.250.10.143:51634)=>(74.125.x.x:5222) tcp SIS_OPEN Session 691B6A48 (10.250.10.142:52065)=>(17.158.x.x:443) https SIS_OPEN Session 66AFFAC4 (10.250.10.148:52244)=>(74.125.x.x:5222) tcp SIS_OPEN
The following regex will isolate the second IP address in the above output. When IP inspection is applied on the external interface in the outbound direction the second IP address will correspond with the external resource being accessed.
I’ve seen shorter versions but none seem to work well with the Python regular expression implementation. Not having a strong regex background, the real challenge was creating an expression that would skip the first IP address and only match the second. This was accomplished by using a negative lookahead.
Once the external IP is isolated it can be used with other tools such as GeoIP lookups (why are there so many connections from that host going to Russia?).